Log In

macOS security flaw: How to protect yourself

A huge security flaw lets anyone log in to a Mac running Apple's latest OS. Here’s what High Sierra users need to do.

There's been a sharp rise in the number of breaches and security flaws in recent years, but the latest affecting Apple's latest operating system macOS High Sierra is something else.

While most flaws can only be exploited by hackers or people with a certain level of technical knowledge, a vulnerability found in the Mac software can be taken advantage by anyone.

If you're running High Sierra 10.13.1, it's possible for anyone to log in to your account and preferences simply by typing the word “root” in the username field. That's right, you can get access to an entire drive, personal files, account preferences (including those in security and privacy) and could even install software, including malware, with a simple login.

We have been able to replicate the flaw, although it took three attempts for it to work. Either way, this is huge.

The flaw appears to have been first identified by security researcher Lemi Orhan Ergin, founder of Software Craftsman Turkey, who posted the details on Twitter. In the tweet Ergin wrote: “Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as ‘root’ with empty password after clicking on login button several times. Are you aware of it @Apple?”

Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

He then followed it up with: “You can access [the flaw] via System Preferences>Users & Groups>Click the lock to make changes. Then use ‘root’ with no password. And try it for several times. Result is unbelievable!”

UPDATE: There was a temporary workaround (details below) but Apple has since released a permanent fix in the form of a security update, called 2017-001. The update is available for anyone running macOS High Sierra 10.13 and macOS High Sierra 10.13.1 as the flaw does not affect macOS Sierra 10.12.6 or earlier. Apple lists the flaw as "a logic error in the validation of credentials."

Install Apple's security update

To update to the latest software and install this security update:

Open the App Store

Click Updates from the toolbar

Press the Update buttons next to each entry to download and install any updates listed

If your Mac is set up for automatic updates, or if you want to check the update process has worked:

Open the Terminal app in Utilities, found in the Applications folder.

Type what /usr/libexec/opendirectoryd and press Enter

If Security Update 2017-001 was installed successfully, you will see one of these project version numbers:
opendirectoryd-483.1.5 on macOS High Sierra 10.13
opendirectoryd-483.20.7 on macOS High Sierra 10.13.1

Not everyone has been able to replicate the flaw, and Ergin has been fiercely criticised for making the flaw public rather than going through a bug bounty program or highlighting the vulnerability through the proper channels to Apple directly.

This isn't the first bug seen in High Sierra. On the day of launch, malicious code was found on the system that could access and steal keychain data without a password. Another flaw exposed a user's password as a password hint when trying to unlock an encrypted partition.

All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.Your use of this website
constitutes acceptance of nextmedia's Privacy Policy and
Terms & Conditions.